apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: postgres-tde
  namespace: default
spec:
  workloadSelector:
    labels:
      app: client
  configPatches:
  - applyTo: LISTENER
    match:
      context: SIDECAR_OUTBOUND
    patch:
      operation: ADD
      value:
        name: postgres_listener
        address:
          socket_address:
            protocol: TCP
            address: 0.0.0.0
            port_value: 5433
        filter_chains:
        - filters:
          - name: envoy.filters.network.postgres_tde
            typed_config:
              "@type": type.googleapis.com/udpa.type.v1.TypedStruct
              type_url: type.googleapis.com/envoy.extensions.filters.network.postgres_tde.PostgresTDE
              value:
                stat_prefix: stats
                terminate_ssl: true
                upstream_ssl: 0
                permissive_parsing: false
          - name: envoy.tcp_proxy
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
              stat_prefix: tcp
              cluster: postgres_cluster
  - applyTo: CLUSTER
    patch:
      operation: ADD
      value:
        name: postgres_cluster
        connect_timeout: 1s
        type: STRICT_DNS
        load_assignment:
          cluster_name: postgres_cluster
          endpoints:
          - lb_endpoints:
            - endpoint:
                address:
                  socket_address:
                    address: postgres
                    port_value: 5432
